Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks.
Unicode digits such as the Arabic-Indic One (U+0661) were accepted but not properly parsed as numbers. This could allow network masks to accept larger networks.
AnalysisAI
Net::CIDR::Set versions through 0.20 for Perl incorrectly accepts Unicode digits in IP addresses and CIDR netmasks, enabling network access controls to silently permit broader address ranges than intended. Applications relying on this library to enforce IP-based allowlists or blocklists may inadvertently grant or deny access to incorrect network ranges when Unicode look-alike digits (e.g., Arabic-Indic U+0661 instead of ASCII '1') are supplied as input. With no public exploit identified at time of analysis and SSVC exploitation status of none, this is a medium-severity library flaw requiring patch deployment rather than emergency response, but the automatable nature of the attack vector warrants prompt remediation in access-control-sensitive deployments.
Technical ContextAI
Net::CIDR::Set is a Perl CPAN module (publisher: RRWO) for managing sets of IP network ranges expressed in CIDR notation, commonly used in access control, firewall rule management, and IP filtering logic. The vulnerability is classified under CWE-1289 (Improper Validation of Consistency within Input), meaning the library fails to enforce consistency between what characters it accepts and what it meaningfully parses. Specifically, Unicode decimal digit characters - such as the Arabic-Indic digit ONE (U+0661, visually '١') - fall within Unicode's Nd (decimal digit) character category and may pass loose regex or character-class checks, yet are not equivalent to ASCII '1' (U+0031) in numeric parsing contexts. When such characters appear in a netmask (e.g., /2٤ instead of /24), the library misinterprets the numeric value, yielding an incorrect prefix length and thus a different - potentially far larger - network range. The affected CPE is cpe:2.3:a:rrwo:net::cidr::set:*:*:*:*:*:*:*:*.
RemediationAI
Upgrade to Net::CIDR::Set version 0.21, which is the vendor-released patch as confirmed by the RRWO changelog on MetaCPAN (https://metacpan.org/release/RRWO/Net-CIDR-Set-0.21/changes). Using CPAN or cpanm: run 'cpan Net::CIDR::Set' or 'cpanm Net::CIDR::Set' to pull the latest release. The oss-security advisory (https://seclists.org/oss-sec/2026/q2/814) provides disclosure details. If an immediate upgrade is not possible, applications should sanitize all externally-supplied IP address and CIDR input by stripping or rejecting any non-ASCII characters before passing values to Net::CIDR::Set - for example, enforcing a strict regex such as /^[0-9a-fA-F.:/]+$/ prior to library calls. This workaround adds an input validation layer but does not fix the underlying library defect and should be treated as temporary only. Applications that accept CIDR input only from trusted internal sources (not user-supplied) have significantly reduced exposure.
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34297
GHSA-hpv8-77xm-27wx